Son Dakika
TRABD, İran'a Karşı Hava Saldırıları BaşlattıINTLUS Launches Strikes Against Iran After Attacks on Commercial VesselsAUAustralian Shares Set for Lower Open Amid Middle East TensionsRUСША нанесли удары по Ирану в ответ на атаки на судаAULancelin community fundraises $150,000 for new sea wall as erosion worsensARمصر تدين استهداف ناقلات في مضيق هرمز وتؤكد تضامنها مع السعودية وقطرKR강남구, '2026 강남구 행복 일자리 박람회' 개최RUСпецпосланник Байдена и зять Трампа могут посетить МосквуCRYPTO-ENSEC to Unveil Crypto Rulemaking This Month, Offering Safe HarborsESDjokovic sobrevive a Auger-Aliassime en Wimbledon en un maratón de cinco setsTRABD, İran'a Karşı Hava Saldırıları BaşlattıINTLUS Launches Strikes Against Iran After Attacks on Commercial VesselsAUAustralian Shares Set for Lower Open Amid Middle East TensionsRUСША нанесли удары по Ирану в ответ на атаки на судаAULancelin community fundraises $150,000 for new sea wall as erosion worsensARمصر تدين استهداف ناقلات في مضيق هرمز وتؤكد تضامنها مع السعودية وقطرKR강남구, '2026 강남구 행복 일자리 박람회' 개최RUСпецпосланник Байдена и зять Трампа могут посетить МосквуCRYPTO-ENSEC to Unveil Crypto Rulemaking This Month, Offering Safe HarborsESDjokovic sobrevive a Auger-Aliassime en Wimbledon en un maratón de cinco sets
Newsgather
GeriMassive Fortinet Firewall Breach Exposes Major Global Organizations to Russian-Speaking Attackers
Massive Fortinet Firewall Breach Exposes Major Global Organizations to Russian-Speaking Attackers
Acil
Ars Technica17.06.2026Teknoloji4 dk okumaUnited States

Massive Fortinet Firewall Breach Exposes Major Global Organizations to Russian-Speaking Attackers

Hızlı Bakış

  • A massive breach of Fortinet firewalls has exposed nearly 74,000 devices globally, granting Russian-speaking attackers access to major organizations like Oracle, Chevron, and a NATO defense contractor.
  • Researchers found plaintext credentials online, enabling lateral movement into critical systems like Active Directory.

Yapay zekâ özeti

Neden Önemli?

A massive breach of Fortinet firewalls has exposed credentials for nearly 74,000 devices globally, giving attackers access to major organizations. Researchers found the data after accessing the attackers' infrastructure.

Yazı boyutu

Researchers have uncovered a massive breach of Fortinet firewalls that has given Russian-speaking attackers near-unrestricted access to some of the world’s largest and most powerful organizations, including Oracle, Chevron, Lenovo, Federal Express, a NATO defense contractor, and Fortinet itself.

Nearly 74,000 Fortinet devices from more than 21,000 IP addresses in 194 countries have been compromised and their plaintext credentials exposed online, Bob Diachenko, a security researcher and head of SecurityDiscovery.com, said online and in an interview. He said he found the data after gaining access to the attackers’ command-and-control server and other infrastructure. The exposed data also included the industry, revenue, and employee count for each compromised organization.

Exceptional scale, poor opsec

Independent researcher Kevin Beaumont reported that “almost all” of the compromised devices remained online as of Wednesday morning. He went on to say that he has confirmed with multiple organizations found in the attackers’ logs that the credentials are real and current. In many cases, once the threat actors compromised the devices, they went on to access affected organizations’ centralized authentication systems, such as Radius servers and Microsoft Active Directory. The number of compromised devices comprises roughly half of all Internet-facing Fortinet firewalls, based on polling from Shodan.

“The scale of this breach touches nearly every sector of the global economy, sparing no industry,” researchers from Hudson Rock, a security firm that also analyzed the data, wrote. “The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet.”

Diachenko, Beaumont, and Hudson Rock all urged Fortinet users to investigate their networks immediately for signs of compromise. Hudson Rock provided this search engine for locating affected domains.

The scale of the operation is exceptional. The threat actor, which Diachenko said was criminally motivated, started by mass-scanning the Internet for FortiGate remote login endpoints. They then used a custom binary with 25,000 threads to spray hundreds of thousands of those endpoints with thousands of login and password combinations. Successful attempts now gave the attackers a “network tap inside the organization.”

Hudson Rock said the attackers went on to “actively intercept SSL VPN authentication hashes and crack them using a massive, dedicated 45-GPU cluster managed via Hashtopolis.” From there, they used the GPU cluster to crack the hashes, meaning to try massive combinations of plain-text passwords until they found the right one. These passwords allowed the threat actors to move laterally to compromise Active Directory environments and other centralized authentication systems.

“This aggressive methodology has led to severe, real-world consequences,” Hudson Rock said. “Diachenko’s research confirmed full network compromises at multiple organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey. Most alarmingly, this includes a Turkish NATO defense contractor from which classified defense documents were successfully exfiltrated by the group.”

In the interview, Diachenko put it more succinctly. “The scale is the sophistication,” he said.

The scale didn’t stop there. The attackers used the massive cluster to run a” feedback-driven, 12-level recursive system.” In other words, there wasn’t a single flat dictionary run. Password candidates came from custom dictionaries with as many as eight words, common keyboard patterns, and cracking rules. Each one looped back with each step. When guesses were successful, the passwords were fed back as seeds to generate still more candidates. In other words, the cracking techniques improved with each successful guess.

“They were quite innovative on that,” the researcher said.

The innovation contrasts sharply with the operational security of the attackers, who left artifacts on the server they used. In hacker circles, such moves are considered amateur mistakes.

Hudson Rock said that the top countries where compromised devices were found were India, the US, Taiwan, Mexico, Turkey, and Thailand. The top industries affected were IT services, construction materials, telecommunications, construction and engineering, industrial equipment, and financial services. Other organizations whose data appeared in the database included: Foxconn, Samsung, Comcast, Siemens, PwC, and Accenture. Hudson Rock said that the database listed thousands of others, including major government agencies and critical infrastructure providers.

Firewalls have long been a favorite network entry point for hackers. These devices accept connections from the outside Internet, sit at the perimeter of a network, and have access to valuable resources deep inside.

The links above list a number of steps Fortinet firewall users should take to ensure their networks are secure. Given that the data has been available to cybercriminals and potentially other threat actors who, like Diachenko, found it, the risk is substantial.

Bundan Sonra Ne Olabilir?

Yapay zekâ öngörüsü — kesinlik taşımaz

  • Fortinet will release a mandatory security patch and guidance for users.

    Çok muhtemel · Günler içinde

  • Investigations into the Russian-speaking group will intensify.

    Muhtemel · Haftalar içinde

Açık Sorular

  • What specific defense documents were exfiltrated?
  • Will Fortinet face regulatory action?
  • How many more organizations are affected but not yet identified?

İlgili Konular

Bu haber ilk olarak şurada yayınlandı: Ars Technica.

İlgili Haberler

Bu konuda daha fazlacybersecurity